AMITIAE - Thursday 9 January 2014
Cassandra: Brazil - Where the Phish Come From - Identifying Sources using Mail and Network Utility
By Graham K. Rogers
It is fairly early in the new year, but this seems to be the beginning of a new phishing season. This morning, there were three emails allegedly from Quicken: makers of well-known accounting software. Each also had the PDF-like attachment with the malicious secret inside. Each message was carrying the same file (identical file name) with that tell-tale extension.
As I mentioned yesterday, I use that BetterZip Quick Look Generator which adds the ability to examine the contents of a zip file using the Finder QuickLook feature. I highlight the file in the email and press the spacebar.
I also looked at the raw source of the email message each of which had come from "email@example.com" which looks genuine enough (a search with Google showed that the URL of Quicken is www.quicken.intuit.com).
To see that raw information, use the View menu in Mail and then Message > Raw source, or the key commands Option + Command + U. There were also sender details with a .br suffix - Brazil, which according to a line in the comedy play, Charlie's Aunt, is "where the nuts come from".
Traceroute was a bit better - there is a definite lag as True tries to connect with the outside world - and once again, via Singapore, we were connected to Brazil.
Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.
For further information, e-mail to